1 files changed, 149 insertions, 0 deletions

diff --git a/examples/src/main/java/com/example/MazeFuzzer.java b/examples/src/main/java/com/example/MazeFuzzer.java
new file mode 100644
index 00000000..9d3448c7
--- /dev/null
+++ b/examples/src/main/java/com/example/MazeFuzzer.java
@@ -0,0 +1,149 @@
+// Copyright 2022 Code Intelligence GmbH
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.example;
+
+import com.code_intelligence.jazzer.api.Consumer3;
+import com.code_intelligence.jazzer.api.Jazzer;
+import java.util.Arrays;
+import java.util.stream.Collectors;
+
+// A fuzz target that shows how manually informing the fuzzer about important state can make a fuzz
+// target much more effective.
+// This is a Java version of the famous "maze game" discussed in
+// "IJON: Exploring Deep State Spaces via Fuzzing", available at:
+// https://wcventure.github.io/FuzzingPaper/Paper/SP20_IJON.pdf
+public final class MazeFuzzer {
+  private static final String[] MAZE_STRING = new String[] {
+      "  ███████████████████",
+      "    █ █ █   █ █     █",
+      "█ █ █ █ ███ █ █ █ ███",
+      "█ █ █   █       █   █",
+      "█ █████ ███ ███ █ ███",
+      "█       █   █ █ █   █",
+      "█ ███ ███████ █ ███ █",
+      "█ █     █ █     █   █",
+      "███████ █ █ █████ ███",
+      "█   █       █     █ █",
+      "█ ███████ █ ███ ███ █",
+      "█   █     █ █ █   █ █",
+      "███ ███ █ ███ █ ███ █",
+      "█     █ █ █   █     █",
+      "█ ███████ █ █ █ █ █ █",
+      "█ █         █ █ █ █ █",
+      "█ █ █████████ ███ ███",
+      "█   █   █   █ █ █   █",
+      "█ █ █ ███ █████ ███ █",
+      "█ █         █        ",
+      "███████████████████ #",
+  };
+
+  private static final char[][] MAZE = parseMaze();
+  private static final char[][] REACHED_FIELDS = parseMaze();
+
+  public static void fuzzerTestOneInput(byte[] commands) {
+    executeCommands(commands, (x, y, won) -> {
+      if (won) {
+        throw new TreasureFoundException(commands);
+      }
+      // This is the key line that makes this fuzz target work: It instructs the fuzzer to track
+      // every new combination of x and y as a new feature. Without it, the fuzzer would be
+      // completely lost in the maze as guessing an escaping path by chance is close to impossible.
+      Jazzer.exploreState(hash(x, y), 0);
+      if (REACHED_FIELDS[y][x] == ' ') {
+        // Fuzzer reached a new field in the maze, print its progress.
+        REACHED_FIELDS[y][x] = '.';
+        System.out.println(renderMaze(REACHED_FIELDS));
+      }
+    });
+  }
+
+  // Hash function with good mixing properties published by Thomas Mueller
+  // under the terms of CC BY-SA 4.0 at
+  // https://stackoverflow.com/a/12996028
+  // https://creativecommons.org/licenses/by-sa/4.0/
+  private static byte hash(byte x, byte y) {
+    int h = (x << 8) | y;
+    h = ((h >> 16) ^ h) * 0x45d9f3b;
+    h = ((h >> 16) ^ h) * 0x45d9f3b;
+    h = (h >> 16) ^ h;
+    return (byte) h;
+  }
+
+  private static class TreasureFoundException extends RuntimeException {
+    TreasureFoundException(byte[] commands) {
+      super(renderPath(commands));
+    }
+  }
+
+  private static void executeCommands(byte[] commands, Consumer3<Byte, Byte, Boolean> callback) {
+    byte x = 0;
+    byte y = 0;
+    callback.accept(x, y, false);
+
+    for (byte command : commands) {
+      byte nextX = x;
+      byte nextY = y;
+      switch (command) {
+        case 'L':
+          nextX--;
+          break;
+        case 'R':
+          nextX++;
+          break;
+        case 'U':
+          nextY--;
+          break;
+        case 'D':
+          nextY++;
+          break;
+        default:
+          return;
+      }
+      char nextFieldType;
+      try {
+        nextFieldType = MAZE[nextY][nextX];
+      } catch (IndexOutOfBoundsException e) {
+        // Fuzzer tried to walk through the exterior walls of the maze.
+        continue;
+      }
+      if (nextFieldType != ' ' && nextFieldType != '#') {
+        // Fuzzer tried to walk through the interior walls of the maze.
+        continue;
+      }
+      // Fuzzer performed a valid move.
+      x = nextX;
+      y = nextY;
+      callback.accept(x, y, nextFieldType == '#');
+    }
+  }
+
+  private static char[][] parseMaze() {
+    return Arrays.stream(MazeFuzzer.MAZE_STRING).map(String::toCharArray).toArray(char[][] ::new);
+  }
+
+  private static String renderMaze(char[][] maze) {
+    return Arrays.stream(maze).map(String::new).collect(Collectors.joining("\n", "\n", "\n"));
+  }
+
+  private static String renderPath(byte[] commands) {
+    char[][] mutableMaze = parseMaze();
+    executeCommands(commands, (x, y, won) -> {
+      if (!won) {
+        mutableMaze[y][x] = '.';
+      }
+    });
+    return renderMaze(mutableMaze);
+  }
+}